SoD Violations: 5 Main Causes and How Analytics can Prevent Them
Nick Sorenson
July 1, 2021

What are SoD Violations?

Separation of Duties (SoD) is an internal control that uses role-based access controls (RBAC) to prevent errors and risk by dividing the responsibilities required to complete a business process. The goal is to enable organizations to prevent conflicts of interests and improve compliance and security.

SoD enables you to assign distinct roles to different user identities, including teams, third parties, and individuals. You can assign each role to one specific part of the transactional workflow of your organization. 

SoD helps you keep track of access violations. An SoD violation occurs when a user exploits an SoD risk by performing both ends of a separated business process to complete one or more transactions.  

Technically, a violation occurs when users gain access to a stage above their assigned stage within the workflow.  For example, the ability to enter vendor invoices and also perform buyer setup is considered a SoD violation. \

SoD Violations vs. SoD Conflicts

SoD violations are organizational role behaviors and may indicate fraudulent or criminal activity. For example, if the same person creates and also signs a purchase order, there is a concern that the purchase order may have been tampered with to steal funds. SoD violations do not necessarily indicate illegal behavior, but they represent a strong risk of such behavior and should be investigated by the organization.

SoD conflicts refers to a role within an organization that has the authority to influence financial activity or an organization’s financial reporting, by performing multiple steps in a financial workflow. For example, the same person is authorized to create and sign a new purchase order (even if they have never done so in practice). SoD conflicts are not yet an actual problem, but they represent a risk. Early identification of SoD conflicts is essential to avoid SoD violations.

By preventing SoD conflicts, organizations can prevent SoD violations before they happen. However, organizations need to live with some SoD conflicts to allow the business to operate smoothly, so it is still important to monitor and address SoD violations on an ongoing basis.

5 Causes of Separation of Duties Violations

1. Hybrid Environments

Hybrid environments spanning on-premise and cloud applications can support digital transformation, but they also often bring a set of complexities. A company may use several applications in the course of completing a single business process. Some are still local and some are in the cloud. When access to hybrid environments is not centrally managed, there can be potential SOD conflicts that emerge from cross application workflows. 

While knowing exactly who has what access is important, many solutions do not have a central location that monitors all access. Certain applications (such as SAP) have their own built-in governance, risk and compliance solutions, but they are specific to their own application(s). Nevertheless, there are still many cross-application SoD violations, lack of visibility between applications. Additionally, the potential for human error increases as more applications are scattered across different environments.

2. No Centralized View

When there are many applications with their own roles and security models, one individual tool-specific dashboard cannot analyze and access violations occurring across the entire environment. These dashboards display detailed information about users, roles, and groups in a single application. However, they lack a “rosetta stone” to unify the information and SoD conflicts across the ecosystem.

3. Lack of Defined Roles and Entitlements 

Employment changes are dynamic. This means you need to constantly add, modify, and delete roles. These constant changes require constant monitoring and updating, and manual input cannot handle these tasks, which leads to outdated roles and incorrect entitlements. 

An entitlement is an access right that a role must get in order to properly do their work. Often, access rights are added without existing rights getting removed, compiling risk unnecessarily. These issues can lead to toxic combinations, which can lead to SoD violations.

4. Shadow IT and Ad Hoc Access 

Today’s businesses are required to meet an increasing pace of agility. Access requests should not turn into a bottleneck that prevents employees from performing their job. However, when businesses err too far in the direction of enabling agility, access may be granted without a full assessment of current access rights or entitlements. 

5. Policies and Procedures Not Clearly Defined 

Organizations typically have built-in security solutions that automate various processes. As a result, these processes require a lot of hand-off between various security solutions and teams that need to shepherd the process.  

How Intelligent Analytics can Prevent SoD Violations

It is very difficult to detect all SoD violations using manual methods of reporting on access conflights. Even the most diligent auditors cannot check all conflicting roles all the time. Intelligent analytics solutions that integrate with identity and access management (IAM) can support auditors, by automatically reviewing roles and identifying SoD violations to focus time and attention where it matters. 

Identity Reconciliation

Intelligent analytics solutions can help organizations to standardize the definitions of access and identity across the entire ecosystem. It can help unify all user access in one holistic identity.  This level of visibility into access can help surface cross-application SoD violations. Otherwise, different role and entitlement definitions may cause the system and admins to miss violations.  

Fine-Grained Access Controls

Organizations that expand their digital footprint need to embrace “the principle of least privileges” across all environments, including PaaS, SaaS, and IaaS. Specialized IAM tools can help organizations enforce field-level read and write privileges across all environments and ecosystems. This enables organizations to limit actions that may lead to fraud and mitigate access risk where common role-level SoD conflicts cannot be avoided.

Context-Aware Reviews

RBAC can provide adequate SoD controls for on-premises environments. However, hybrid and cloud environments are more complex, especially in terms of identities and locations. These architectures require context-aware and risk-aware attribute-based access controls (ABAC). Peer-based and usage-based analytics can help organizations in creating more accurate policies that can better prevent SoD violations. 

User Access Requests

Automation can help organizations to streamline access processes, including requests, reviews, and certifications. Organizations can create risk-based rules as well as approval paths. A manual provisioning process may result in human errors or SoD violations. Automation helps organizations create designated delegation rules, approver notifications, escalations, and SoD rules. 

Enforcement

An authoritative identity source can help organizations establish risk-based and context-aware rules that can be enforced by automated tools. Intelligent analytics tools can automatically cross-reference access requests with peer access and policies, and then send alerts that notify relevant stakeholders of potential outliers and over privileged users. Analytics also help tools in providing suggested remediation actions.

Documentation for Audit

SoD processes continuously monitor access requests for SoD conflicts, looking for anomalous behaviors. Once SoD conflicts are surfaced, they need to be assigned and remediated, with the decision making captured in the audit logs. The information captured about these efforts becomes evidence of properly implemented SoD controls, to prove compliance to auditors.

Automating SoD with Pathlock

Pathlock provides a robust, cross-application solution to managing SoD conflicts and violations.  Finance, internal controls, audit, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape. 

With Pathlock, customers can enjoy a complete solution to SoD management, that can monitor conflicts as well as violations to prevent risk before it happens:

  • Integration to 140+ applications, with a “rosetta stone” that can map SoD conflicts and violations across systems
  • Intelligent access-based SoD conflict reporting, showing users’ overlapping conflicts across all of their business systems
  • Transactional control monitoring, to focus time and attention on SoD violations specifically, applying effort towards the largest concentrations of risk
  • Automated, compliant provisioning into business applications, to monitor for SoD conflicts when adding or changing user access
  • Streamlined, intelligent User Access Reviews that highlight unnecessary or unused privileges for removal or inspection
  • Compliant workflows to drive risk mitigation and contain suspicious users before they inflict harm

Interested to find out more about how Pathlock is changing the future of SoD?  Request a demo to explore the leading solution for enforcing compliance and reducing risk.